Reputation: 4663
ECS container in public subnet cannot connect to a public AWS SSM service
I have a container running in ECS and it's using boto3 to connect to ssm.us-east-2.amazonaws.com. The connection is timing out. The container is using network mode awsvpc and I don't have a NAT Gateway. I thought this wouldn't be a problem since the EC2 instance and the container are both in a public subnet… but I could be wrong. When I ssh into the EC2 instance that's running the container, I'm able to ping the ssm host, but somehow the container can't reach it.
I had a situation last month where a container was relaunching repeatedly and accessing ECR through a NAT Gateway, and the result was terabytes of traffic and a huge bill. I'd really like to avoid using a NAT Gateway if possible.
How do I diagnose the problem here? The app is quitting immediately because it fails to access AWS SSM. Here is the security group for the EC2 instance:
module "sg" {
source = "cloudposse/security-group/aws"
version = "0.4.3"
# Allow unlimited egress
allow_all_egress = true
rules_map = {
"API" = [{
type = "ingress"
from_port = 5050
to_port = 5050
protocol = "tcp"
cidr_blocks = module.subnets.public_subnet_cidrs
self = null
description = "Allow calling API (HTTP) from IPs in our public subnets (which includes the ALB)"
}],
"SSH" = [{
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
self = null
description = "Allow SSH from all IPs"
}]
}
vpc_id = module.vpc.vpc_id
context = module.this.context
}
I'm also using this security group with the ecs-alb-service-task I declared in a previous question. I am not sure whether the problem is with a security group, the networking mode, or something else. The AWS documentation on network modes strongly suggests that awsvpc is the preferred mode, but I still don't really understand the implications or how to pick the right one. I have also tried using the default mode (bridge since I'm on Amazon Linux) and I get the same error.
Upvotes: 0
Views: 825
Answers (0)
Related Questions
- EC2 instance in public subnet has no public IP
- How to assign a public IP to container running in AWS ECS cluster in EC2 mode
- <AWS VPC> Unable to ping private subnet instance from a public subnet instance
- Calling AWS Services from a container on ECS + EC2. Connection Timeout
- Unable to access AWS CloudWatch from containers on EC2 instance on private subnet
- Terraform: Why AWS NAT Gateway conflicts with Egress Only Internet Gateway
- ECS public subnet service communication with private subnet service
- EC2 instance in a public subnet has no public IP
- Cannot access ecs ec2 instance public ip
- aws-vpc containers do not have access to the internet